OTM under a standards body?

[trevor-vaughan]

Discussions aren't active so I figure I'd start the thread here.

Are there plans to pursue OTM under one of the standards bodies?

While the standard itself seems reasonable, pushing for wider adoption is difficult when the standard is vendor-housed.

[stevespringett]

I think theres community support for OTM to be an OWASP project. Also, if IriusRisk would like OTM to be an international standard, Ecma should be seriously considered. OWASP and Ecma have built a working model that's community-based while ensuring the TC is actively involved. CycloneDX is the first to leverage the working model. I can make introductions if desired.

[stephendv1]

Yes, there is always concern when a vendor is seen to control a standard/format. IMO, it is too early to go for a heavyweight standards body that adds too much bureaucratic overhead. An OWASP project seems like a faster alternative given where we are with OTM currently. There is some interest with other projects and I think it would help adoption if we had at least 2 other tools using the format. E.g. pytm, Threat Dragon.

[trevor-vaughan]

That's certainly reasonable.

Is pytm still alive? Last I checked it seemed functional but not really progressing.

[jgadsden]

Yes, pytm is still very much alive and is referenced by other projects, @izar to update us on this maybe

[izar]

Yup, pytm is very much alive. We have a lot going on behind the scenes, and at some point, we will have a fresh update. Regarding OTM, pytm needs changes to it to be able to actually use it - namely, making the x/y attributes not mandatory, as pytm has no concept of a graphical representation.

Just a couple of days ago we were discussing it at ThreatModCon and many of us agree with @stevespringett - we should work towards making OTM an external standard.

[stephendv1]

@jgadsden what say you about Threat Dragon also using OTM as a supported format? @izar x/y co-ordinates can easily be made optional.

[izar]

@stephendv1 I went looking at it this morning and either there have been changes I hadn't seen or I had misread the spec (more likely....) - the x/y are only mandatory on Diagram type of Representation, which makes perfect sense.

OTOH....how about adding P to CIA ?

[jgadsden]

Yes, I agree @stephendv1 , and I have labelled the issue in Threat dragon for version 2.2 (which is the next minor version) - although no guarantee that we can find someone to do it

[jgadsden]

@stephendv1 we have some good news in that @stevespringett and Matthew McDonald are working on OTM being a supported format for Threat Dragon

[jgadsden]

The Threat Dragon file/JSON schema is a bit quirky, with two versions for 1.x and 2.x If OTM becomes an open standard then Threat Dragon version 3 could use it as its file format instead of the existing incompatible versions 1.x and versions 2.x formats

[stephendv1]

That is great news! Does threat dragon need many additional changes to the spec based on what’s published currently?

[jgadsden]

Good point, I have raised an issue on Threat Dragon : Use OTM as the default file format #850 and have raised an issue for OTM to identify any extensions needed by OTM to cover all the information contained within Threat Dragon files : #26

[stevespringett]

Regarding "If OTM becomes an open standard...". OWASP is now a member of Ecma International. The CycloneDX community has worked with Ecma on developing a community-based standardization process that is going to be the model of the future. It would be possible to leverage what CycloneDX and Ecma have already created and use it as a template to create their own technical committee under Ecma with the end goal of making OTM an Ecma standard. Ecma also has liaison agreements with ISO and other standards bodies, so theoretically, OTM could also be an ISO standard by way of Ecma.

Please note that the standardization process that OWASP/Ecma created is lightweight while also ensuring full participation by both OWASP and Ecma TC member organizations.

If this is of interest to IriusRisk and the community, please let me know and we can discuss next steps.

[jgadsden]

certainly from my point of view this is a good way forward Threat Dragon will be working towards full integration with OTM whatever the outcome